<!--
  This file is a part of the open-eBackup project.
  This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0.
  If a copy of the MPL was not distributed with this file, You can obtain one at
  http://mozilla.org/MPL/2.0/.
  
  Copyright (c) [2024] Huawei Technologies Co.,Ltd.
  
  THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
  EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
  MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
  -->


<!DOCTYPE html
  PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="zh-cn" xml:lang="zh-cn">
<head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="DC.Type" content="topic">
<meta name="DC.Title" content="创建智能侦测策略">
<meta name="product" content="">
<meta name="DC.Relation" scheme="URI" content="zh-cn_topic_0000002165515180.html">
<meta name="prodname" content="">
<meta name="version" content="">
<meta name="brand" content="00-OceanCyber 300 1.2.0 联机帮助">
<meta name="DC.Publisher" content="20250228">
<meta name="DC.Format" content="XHTML">
<meta name="DC.Identifier" content="ZH-CN_TOPIC_0000002165355492">
<meta name="DC.Language" content="zh-cn">
<link rel="stylesheet" type="text/css" href="public_sys-resources/commonltr.css">
<title>创建智能侦测策略</title>
</head>
<body style="clear:both; padding-left:10px; padding-top:5px; padding-right:5px; padding-bottom:5px"><a name="ZH-CN_TOPIC_0000002165355492"></a><a name="ZH-CN_TOPIC_0000002165355492"></a>

<h1 class="topictitle1">创建智能侦测策略</h1>
<div id="body0000001482413418"><p id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p1232219182511">参考本节创建智能侦测策略，对文件系统创建勒索侦测快照。</p>
<div class="section" id="ZH-CN_TOPIC_0000002165355492__section19341049194115"><h4 class="sectiontitle">注意事项</h4><ul id="ZH-CN_TOPIC_0000002165355492__ul328171214429"><li id="ZH-CN_TOPIC_0000002165355492__li16281212164214"><span id="ZH-CN_TOPIC_0000002165355492__text1313824101312">OceanCyber 300 数据安全一体机</span>为服务器单节点部署形态，为了确保服务器故障之后业务能够快速恢复，用户需要设置管理数据备份的策略，确保有可用的管理数据恢复系统；</li><li id="ZH-CN_TOPIC_0000002165355492__li028110121426"><span id="ZH-CN_TOPIC_0000002165355492__text19250121813519">OceanCyber 300 数据安全一体机</span>自身创建的文件系统，不进行勒索病毒侦测；</li><li id="ZH-CN_TOPIC_0000002165355492__li4281151219423">CLONE文件系统不进行勒索病毒侦测；</li><li id="ZH-CN_TOPIC_0000002165355492__li428115129421">开启了 “未感染快照锁定”的智能侦测策略，经侦测未感染的快照会转为安全快照，在快照保留时间内不支持手动删除；</li><li id="ZH-CN_TOPIC_0000002165355492__li1728111124420"><span id="ZH-CN_TOPIC_0000002165355492__text3965202105118">OceanCyber 300 数据安全一体机</span>通过存储设备的<span id="ZH-CN_TOPIC_0000002165355492__text317924611211">快照对比</span>Rest API获取文件系统的变化文件信息，安全一体机会对被侦测的文件系统自动开启快照对比功能。</li></ul>
</div>
<div class="section" id="ZH-CN_TOPIC_0000002165355492__section16497142464611"><h4 class="sectiontitle">操作步骤</h4><ol id="ZH-CN_TOPIC_0000002165355492__ol7499132416464"><li id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_li149381918143112"><span>选择<span class="uicontrol" id="ZH-CN_TOPIC_0000002165355492__uicontrol11163163816356">“数据安全 &gt; 智能侦测”</span>。</span></li><li id="ZH-CN_TOPIC_0000002165355492__li59781743184615"><span>选择“<span id="ZH-CN_TOPIC_0000002165355492__text1822116053515">智能侦测策略</span>”页签。</span></li><li id="ZH-CN_TOPIC_0000002165355492__li1414511249483"><span>单击“<span id="ZH-CN_TOPIC_0000002165355492__text16719141763513">创建</span>”。</span></li><li id="ZH-CN_TOPIC_0000002165355492__li6387118134912"><span>自定义智能侦测策略名称。</span></li><li id="ZH-CN_TOPIC_0000002165355492__li141200409527"><span>选择侦测方式。</span><p><ul id="ZH-CN_TOPIC_0000002165355492__ul575405120205"><li id="ZH-CN_TOPIC_0000002165355492__li3754251182017">选择<span class="uicontrol" id="ZH-CN_TOPIC_0000002165355492__uicontrol12453175119259">“<span id="ZH-CN_TOPIC_0000002165355492__text86753357571">仅生成勒索侦测快照</span>”</span>。选择该侦测方式后，仅生成勒索侦测快照，不会立即对快照进行侦测。后续可以选择需要侦测的快照进行手动侦测，即在<span class="menucascade" id="ZH-CN_TOPIC_0000002165355492__menucascade84251721172715">“<span class="uicontrol" id="ZH-CN_TOPIC_0000002165355492__uicontrol13616192202712"><span id="ZH-CN_TOPIC_0000002165355492__text05147310236">数据安全</span> &gt; <span id="ZH-CN_TOPIC_0000002165355492__text481381812239">快照数据</span></span>”</span>页面，在对应快照所在行单击<span class="menucascade" id="ZH-CN_TOPIC_0000002165355492__menucascade1349014217285">“<span class="uicontrol" id="ZH-CN_TOPIC_0000002165355492__uicontrol1948918423288"><span id="ZH-CN_TOPIC_0000002165355492__text91558518502">更多</span></span> &gt; <span class="uicontrol" id="ZH-CN_TOPIC_0000002165355492__uicontrol76601943102811"><span id="ZH-CN_TOPIC_0000002165355492__text127035101508">立即侦测</span></span>”</span>。</li><li id="ZH-CN_TOPIC_0000002165355492__li2150619102513">选择<span class="uicontrol" id="ZH-CN_TOPIC_0000002165355492__uicontrol17618962912">“<span id="ZH-CN_TOPIC_0000002165355492__text233919115584">勒索侦测快照生成后立即进行侦测</span>”</span>。<ul id="ZH-CN_TOPIC_0000002165355492__ul11808153312296"><li id="ZH-CN_TOPIC_0000002165355492__li10485132512295">配置<span class="uicontrol" id="ZH-CN_TOPIC_0000002165355492__uicontrol19785484395">“<span id="ZH-CN_TOPIC_0000002165355492__text109221073011">备份副本深度侦测</span>”</span>参数。此参数仅适用于OceanProtect专用备份存储设备的文件系统。开启后，OceanCyber 300 数据安全一体机将对备份存储中的备份副本文件进行深度解析和侦测，评估此副本文件之中的原始文件（被备份的生产存储设备上的文件）是否被感染。此功能开启可能导致整体侦测时间延长。<div class="note" id="ZH-CN_TOPIC_0000002165355492__note0587455585"><img src="public_sys-resources/note_3.0-zh-cn.png"><span class="notetitle"> </span><div class="notebody"><ul id="ZH-CN_TOPIC_0000002165355492__ul16617115054712"><li id="ZH-CN_TOPIC_0000002165355492__li13617185074717">开启<span class="uicontrol" id="ZH-CN_TOPIC_0000002165355492__uicontrol1097720385913">“<span id="ZH-CN_TOPIC_0000002165355492__text797712382095">备份副本深度侦测</span>”</span>功能后，可调节备份副本侦测算法敏感度。若选择高敏感度，在数据被少量加密或类似操作时可能触发告警，因此会增加误报的风险。非特殊要求的业务场景，建议配置为“中”敏感度。</li><li id="ZH-CN_TOPIC_0000002165355492__li4617155010477">副本侦测算法敏感度的调节仅对虚拟机、数据库或Veeam针对主机文件的备份副本生效。</li></ul>
</div></div>
</li></ul>
<ul id="ZH-CN_TOPIC_0000002165355492__ul566151318912"><li id="ZH-CN_TOPIC_0000002165355492__li206615139915">配置<span class="uicontrol" id="ZH-CN_TOPIC_0000002165355492__uicontrol13661013894">“<span id="ZH-CN_TOPIC_0000002165355492__text156661312913">未感染快照锁定</span>”</span>参数。“<span id="ZH-CN_TOPIC_0000002165355492__text266111316913">未感染快照锁定</span>”参数指将未侦测到勒索文件的快照锁定。开启后未感染的快照将转为安全快照，快照过期时间会有一定延迟，在快照过期前不允许修改和删除。</li></ul>
</li></ul>
</p></li><li id="ZH-CN_TOPIC_0000002165355492__li278418594584"><span>配置勒索侦测快照。相关场景说明如<a href="#ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_table1591417351806">表 配置智能勒索侦测快照策略场景说明</a>所示。</span><p><div class="p" id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p1191213351402">请根据业务情况合理设置勒索侦测快照生成频率、生成勒索快照时间窗口和快照保留时长，建议如下：<ul id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_ul169120351012"><li id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_li11556248153216">智能勒索侦测速率约1千变化文件/秒，请根据文件系统文件规模评估生成勒索快照频率。建议生成勒索快照频率大于智能勒索侦测耗时，减少侦测任务堆积。</li><li id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_li139122353016">首次执行生成勒索快照时间建议与时间窗口的开始时间一致。</li><li id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_li129129359010">快照保留时间必须大于一个快照勒索生成周期的时间间隔。</li></ul>

<div class="tablenoborder"><a name="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_table1591417351806"></a><a name="zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_table1591417351806"></a><table cellpadding="4" cellspacing="0" summary="" id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_table1591417351806" frame="border" border="1" rules="all"><caption><b>表1 </b>配置智能勒索侦测快照策略场景说明</caption><colgroup><col style="width:10.83%"><col style="width:13.889999999999999%"><col style="width:75.28%"></colgroup><thead align="left"><tr id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_row391217351202"><th align="left" class="cellrowborder" colspan="2" valign="top" id="mcps1.3.3.2.6.2.1.2.2.4.1.1"><p id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p591273518016">场景</p>
</th>
<th align="left" class="cellrowborder" valign="top" id="mcps1.3.3.2.6.2.1.2.2.4.1.2"><p id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p2912103510019">说明</p>
</th>
</tr>
</thead>
<tbody><tr id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_row19132351607"><td class="cellrowborder" colspan="2" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.1 "><p id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p1791310351307"><span id="ZH-CN_TOPIC_0000002165355492__text258102520408">按年</span></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.2 "><p id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p1138183754211">设置每年xx月xx日执行一次，快照保留xx天/周/月/年/永久，从xx时xx分xx秒到xx时xx分xx秒允许生成勒索快照。</p>
</td>
</tr>
<tr id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_row10172155863813"><td class="cellrowborder" colspan="2" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.1 "><p id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p1236218263914"><span id="ZH-CN_TOPIC_0000002165355492__text13709143517403">按月</span></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.2 "><p id="ZH-CN_TOPIC_0000002165355492__p429217582589">设置每月（指定日期）xx日/最后一天执行一次，快照保留xx天/周/月/年/永久，从xx时xx分xx秒到xx时xx分xx秒允许生成勒索快照。</p>
</td>
</tr>
<tr id="ZH-CN_TOPIC_0000002165355492__row782441875816"><td class="cellrowborder" colspan="2" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.1 "><p id="ZH-CN_TOPIC_0000002165355492__p18286183516581"><span id="ZH-CN_TOPIC_0000002165355492__text254211474403">按周</span></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.2 "><p id="ZH-CN_TOPIC_0000002165355492__p08251418135812">设置每周一/二/三/四/五/六/日执行一次（可多选），快照保留xx天/周/月/年/永久，从xx时xx分xx秒到xx时xx分xx秒允许生成勒索快照。</p>
</td>
</tr>
<tr id="ZH-CN_TOPIC_0000002165355492__row235723215587"><td class="cellrowborder" colspan="2" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.1 "><p id="ZH-CN_TOPIC_0000002165355492__p498193665815"><span id="ZH-CN_TOPIC_0000002165355492__text35589589400">按天</span></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.2 "><p id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p176602843519">设置从xx时间开始，每xx天执行一次，快照保留xx天/周/月/年/永久，从xx时xx分xx秒到xx时xx分xx秒允许生成勒索快照。</p>
</td>
</tr>
<tr id="ZH-CN_TOPIC_0000002165355492__row1395102635814"><td class="cellrowborder" colspan="2" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.1 "><p id="ZH-CN_TOPIC_0000002165355492__p678203811581"><span id="ZH-CN_TOPIC_0000002165355492__text26067145413">按小时</span></p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.3.2.6.2.1.2.2.4.1.2 "><p id="ZH-CN_TOPIC_0000002165355492__p295117269582">设置从xx时间开始，每xx小时执行一次，快照保留xx天/周/月/年/永久，从xx时xx分xx秒到xx时xx分xx秒允许生成勒索快照。</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<p id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p19806916101417">一旦超过设置的快照保留时长，系统将自动删除过期的快照。</p>
<div class="note" id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_note25251113121414"><img src="public_sys-resources/note_3.0-zh-cn.png"><span class="notetitle"> </span><div class="notebody"><ul id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_ul20525121320142"><li id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_li05251713151410">如果允许生成勒索快照的结束时间小于或等于开始时间，则结束时间实际为跨日的结束时间。</li><li id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_li1552591313146">如果生成勒索快照任务在指定的时间窗口内未执行完成，系统不会中止本次生成勒索快照任务，但会上报告警。</li></ul>
</div></div>
</p></li><li id="ZH-CN_TOPIC_0000002165355492__li713074195710"><span>配置智能侦测策略高级参数。相关参数说明如<a href="#ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_table79151351804">表 智能侦测策略高级参数说明</a>所示。</span><p>
<div class="tablenoborder"><a name="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_table79151351804"></a><a name="zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_table79151351804"></a><table cellpadding="4" cellspacing="0" summary="" id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_table79151351804" frame="border" border="1" rules="all"><caption><b>表2 </b>智能侦测策略高级参数说明</caption><colgroup><col style="width:30.06%"><col style="width:69.94%"></colgroup><thead align="left"><tr id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_row791411353020"><th align="left" class="cellrowborder" valign="top" width="30.06%" id="mcps1.3.3.2.7.2.1.2.3.1.1"><p id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p1291453517013">参数</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="69.94%" id="mcps1.3.3.2.7.2.1.2.3.1.2"><p id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p491413351904">说明</p>
</th>
</tr>
</thead>
<tbody><tr id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_row291417351304"><td class="cellrowborder" valign="top" width="30.06%" headers="mcps1.3.3.2.7.2.1.2.3.1.1 "><p id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p189144351802"><span id="ZH-CN_TOPIC_0000002165355492__text15387354417">任务失败告警</span></p>
</td>
<td class="cellrowborder" valign="top" width="69.94%" headers="mcps1.3.3.2.7.2.1.2.3.1.2 "><p id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p11872124113514">默认开启。任务失败后发送告警，下一次任务成功后告警自动清除。</p>
</td>
</tr>
<tr id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_row691510358017"><td class="cellrowborder" valign="top" width="30.06%" headers="mcps1.3.3.2.7.2.1.2.3.1.1 "><p id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p8915535609"><span id="ZH-CN_TOPIC_0000002165355492__text1954265712418">失败后自动重试</span></p>
</td>
<td class="cellrowborder" valign="top" width="69.94%" headers="mcps1.3.3.2.7.2.1.2.3.1.2 "><p id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p59151935109">默认开启。勒索侦测快照生成任务失败后系统自动重试。</p>
<div class="p" id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p159158351007">支持重试次数为1~5次，等待时长为1~30分钟。如设置为重试3次，等待5分钟，即每5分钟后重试一次，总共重试3次。<div class="note" id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_note1191518351206"><span class="notetitle"> 说明： </span><div class="notebody"><p id="ZH-CN_TOPIC_0000002165355492__zh-cn_topic_0000001340823161_zh-cn_topic_0000001283134344_p49151035302">自动重试时系统会创建一个新的勒索侦测快照生成任务，如果该生成任务不在设定的时间窗内则不会执行，此次生成失败。</p>
</div></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="ZH-CN_TOPIC_0000002165355492__li12971122751319"><span>单击“<span id="ZH-CN_TOPIC_0000002165355492__text195347135428">确定</span>”，完成智能侦测策略创建。</span></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>父主题：</strong> <a href="zh-cn_topic_0000002165515180.html">配置智能侦测（事后拦截）</a></div>
</div>
</div>

<div class="hrcopyright"><hr size="2"></div><div class="hwcopyright">版权所有 &copy; 华为技术有限公司</div></body>
</html>